Lacking effective security measures, Somalia’s new electronic visa website could be used by nefarious actors looking to download thousands of e-visas containing sensitive information, including people’s passport details, full names, and birthdates.
Following a tip from a source with experience in web development, Al Jazeera confirmed the system vulnerability this week.
Recommended Stories
list of 3 itemsend of list
The source gave Al Jazeera details about the at-risk data as well as proof that they had reported their concerns to Somali authorities last week in order to reveal their vulnerability.
The source claimed that despite their efforts, the problem had not been resolved and that no response had been forthcoming from the authorities.
According to Bridget Andere, senior policy analyst at the digital rights group Access Now, “breaches involving sensitive personal data are particularly dangerous because they put people at risk of identity theft, fraud, and intelligence gathering by malicious actors,” according to Al Jazeera.
Officials announced a month ago that they were looking into the country’s e-visa system after hackers breached the country’s website.
Al Jazeera was able to replicate the vulnerability that our source had discovered this week.
Difficultly dozens of people e-visas that contained sensitive information were quickly downloaded by us. Personal information from people from Switzerland, Portugal, Sweden, the United States, and Somalia were included in this.
Al Jazeera did not respond when it was asked to question the Somali government about the system flaw.
The government’s push to implement the e-visa system despite being blatantly unprepared for potential risks and then redeploying it following a serious data breach, according to Andere, is an illustration of how disregard for people’s needs and rights can undermine public trust and lead to avoidable vulnerabilities, according to Andere.
The Somalian government’s failure to properly notify this]serious data breach in November is also alarming.
According to Andere, “In such circumstances, Somalia’s data protection law requires data controllers to notify the data protection authority, and in high-risk situations, such as this incident, to also notify the individuals affected,”
Because of the number of people of different nationalities and thus of different legal jurisdictions involved, extra protections should be in place in this situation.
Because the vulnerability hasn’t been fixed, Al Jazeera can’t reveal technical details of the breach, so publishing it could give hackers the necessary data to replicate it.
To protect the privacy of those affected, Al Jazeera destroyed any sensitive information it obtained as part of this investigation.
previous omission
More than 35, 000 people who had applied for an e-visa to Somalia were the subject of a data breach that the US and the UK governments issued last month.
The US Embassy in Somalia stated at the time that “leaked data from the breach included visa applicants’ names, photos, dates and places of birth, email addresses, marital status, and home addresses.”
In an effort to improve security, Somalia’s Immigration and Citizenship Agency (ICA) updated its e-visa website to a new domain name in response to that data breach.
The immigration agency announced on November 16 that it was looking into the matter and that it was considering it with “special importance.”
As a result of months of fighting in the northern regions against a local affiliate of the group, Somalia’s Defense Minister Ahmed Moalim Fiqi had praised the e-visa system earlier that week, claiming it had successfully stopped ISIL (ISIS) fighters from entering the nation.
According to Access Now’s Andere, governments frequently implement e-visa systems in hurried fashion, which frequently leads to unsecure situations.
She added that it’s challenging for people to defend themselves from these kinds of data breaches.
She said that “data protection and cybersecurity considerations are frequently ignored first.” Because the information they provide is necessary for a particular process, it is challenging to shift the burden to the recipients.
Source: Aljazeera
Leave a Reply